Even though the adoption of SaaS apps started more than ten years ago, CISOs are still finding it challenging to tackle the accumulated security debt.
The prevalence of phishing and account takeover attacks has raised significant concerns, as most organizations have experienced them within the last year. However, traditional network-based solutions such as firewalls, proxies, and CASBs have proven inadequate in providing the necessary protection for SaaS environments.
Critical gaps in existing solutions’ capabilities, security architecture that doesn’t recognize the browser as a prominent, standalone attack surface, and low resilience to web-borne threats are among the findings of a global survey by LayerX.
150 CISOs across multiple geographies and verticals were polled about their security practices across various disciplines that ultimately come down to securing users, data, and applications within the browser: secure SaaS access, SaaS security and data protection, BYOD, phishing protection, and browser security posture. Respondents’ answers were classified according to their architecture: all-SaaS, hybrid, and mostly on-prem, showing how the relative importance of the browser increases concerning the level of the organization’s SaaS adoption.
Main takeaways for CISOs
- Organizations in the cloud are exposed to web-borne attacks. 87% of all-SaaS adopters and 79% of CISOs in a hybrid environment experienced a web-borne security threat in the past 12 months.
- Account takeover is a top concern. 48% list credential phishing as the riskiest browser threat. Followed by malicious browser extensions (37%), malware download (9%), and browser vulnerabilities (6%).
- Unsanctioned apps and shadow identities are perceived as unaddressed security gaps. 95% of organizations have a coverage level of 50% or less for unsanctioned apps.
- Most organizations employ at least two security measures to combat phishing attacks. 79% employ network security tools, like firewalls and SWGs.
- Both all-SaaS and hybrid organizations use network solutions to block phishing, but realize this is not an efficient strategy. 80% have a coverage level of 50% or less.
Incidentally, browser security controls are not perceived as efficient enough, with more than half rating them as efficient to “Some extent”. Luckily, a healthy trend is toward investing in a browser security solution. Most are leaning towards a browser security solution that can be deployed with commercial browsers.
“This is the first time such an all-encompassing survey has been conducted about browser security,” said Or Eshed, CEO of LayerX. “With the browser being the key work interface in the modern environment, our hope is that these survey results help CISOs address web-borne threats and mitigate SaaS-related risks.”